Unauthorized Social Network May Have Compromised VA Data For Years

As many as 50,000 Department of Veterans Affairs employees took part in an unauthorized internal social network that may have compromised VA data as far back as 2008, according to the results of an investigation released today.

In a heavily-redacted 21-page report, released Thursday in response to a Freedom of Information Action request by MeriTalk, the VA’s Inspector General said tens of thousands of VA employees had registered for and used an unauthorized social collaboration tool known as Yammer.com. The platform, acquired by Microsoft in 2012, had been in use at the VA since 2008 even though it was not authorized because of security and privacy concerns.

“Even though it was not authorized for use, or monitored, it quickly became widely used by VA employees, without ever going through the appropriate approval process,” the IG report states. “We found that VA Yammer did not have the required Web-based Collaboration Service Coordinator, resulting in no one individual ensuring that the social media site did not contain improper posts, such as VA sensitive data, inappropriate content, or a misuse of official VA time and/or resources.”

The social platform was also known at the time to suffer from significant security vulnerabilities that could have placed veterans’ data at risk by allowing former VA employees to see sensitive posts for years.

“There were no restrictions for accessing this Web-based collaboration tool, other than having a @va.gov email address when signing up for access,” according to the IG report. “After signing up, any user could access, disseminate, or process sensitive information, which should be restricted to VA personnel with an official need to know, and there was an ability to privatize Group pages so that VA officials could not see the content of their posts.”

According to the IG’s investigation, VA employees “in mass … violated VA policy and guidance when they posted comments, uploaded, downloaded, shared files, and linked videos on the site.” Investigators also found several posts that contained VA sensitive data and numerous posts in which users “posted or uploaded unprofessional, non-VA related personal, and/or disparaging content that showed a broad actual and potential misuse of time and resources by VA Yammer users.”

Surprisingly, many VA employees may have believed the use of Yammer was authorized because former VA Chief Information Officer Stephen Warren had showcased and promoted the tool during an open chat forum in 2013, according to the IG.

“It was perceived as a trusted Web-based collaboration tool, used by trusted sources, and used frequently to download, upload, or share files,” the IG report states. Warren, who recently left VA to become the CIO at the Comptroller of the Currency, gave “the false impression that VA approved the use of Yammer.com.”

VA Chief of Staff, Robert L. Nabors, said in a response to the investigation that the agency will decide by Oct. 1 on what, if any, disciplinary actions it will take against personnel.